b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                    Improved Controls Are Needed to Ensure\n                      That All Planned Corrective Actions\n                       for Security Weaknesses Are Fully\n                     Implemented to Protect Taxpayer Data\n\n\n\n                                      September 27, 2013\n\n                              Reference Number: 2013-20-117\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nIMPROVED CONTROLS ARE NEEDED                          recommendations, and PCAs in the Department\nTO ENSURE THAT ALL PLANNED                            of the Treasury\xe2\x80\x99s Joint Audit Management\nCORRECTIVE ACTIONS FOR SECURITY                       Enterprise System (JAMES). The Office of\nWEAKNESSES ARE FULLY                                  Internal Control took a major step to strengthen\n                                                      the IRS\xe2\x80\x99s management control program by\nIMPLEMENTED TO PROTECT\n                                                      recently publishing new guidance on monitoring\nTAXPAYER DATA                                         internal controls for the PCAs. However,\n                                                      guidance that was in effect since May 2004 was\n\nHighlights                                            not sufficient.\n                                                      During our audit, TIGTA determined that\nFinal Report issued on                                eight (42 percent) of 19 PCAs that were\nSeptember 27, 2013                                    approved and closed as fully implemented to\n                                                      address reported security weaknesses from\nHighlights of Reference Number: 2013-20-117           prior TIGTA audits were only partially\nto the Internal Revenue Service Chief Financial       implemented. These PCAs involved systems\nOfficer and Chief Technology Officer.                 with taxpayer data. In addition, documents did\n                                                      not support the closure of the PCAs, and\nIMPACT ON TAXPAYERS                                   supporting documents were not always\n                                                      uploaded to the JAMES and were not readily\nManagement controls are a major part of               available. The Office of Internal Control also\nmanaging an organization and provide                  has a responsibility to audit IRS PCAs to ensure\nreasonable assurance that organizational              that they are implemented; however, it did not\nobjectives are achieved. When weaknesses are          conduct the audits.\nidentified within an organization, management\ncontrols dictate that these weaknesses need to        WHAT TIGTA RECOMMENDED\nbe tracked, monitored, and reported to ensure\nthat they are corrected. Our audit identified         TIGTA recommended that the IRS further\nweakened management controls in the IRS over          strengthen its management controls to adhere to\nits closed planned corrective actions (PCA) for       internal control requirements, provide refresher\nthe security of systems involving taxpayer data.      training to employees involved in the JAMES\nWhen the right degree of security diligence is        process, audit the corrective actions for closed\nnot applied to systems, disgruntled insiders or       PCAs, and change the status of closed PCAs to\nmalicious outsiders can exploit security              open for those that were partially implemented.\nweaknesses and may gain unauthorized access.          In their response, IRS management agreed with\n                                                      five of our six recommendations and plans to\nWHY TIGTA DID THE AUDIT                               issue guidance on internal control requirements,\n                                                      provide training, and revise the procedures to\nThis audit was part of our statutory requirement      improve the IRS\xe2\x80\x99s management controls over\nto annually review the adequacy and security of       the PCAs.\nIRS technology, and it addresses the IRS major\nmanagement challenge of Security of Taxpayer          IRS management partially agreed with the sixth\nData and Employees. The overall objective was         recommendation to upload documentation into\nto determine whether closed corrective actions        the JAMES for previously closed PCAs, pending\nto security weaknesses and findings reported by       the completion of a cost/benefit analysis and\nTIGTA have been fully implemented, validated,         risk-based approach. TIGTA believes the IRS\nand documented as implemented.                        should complete our recommendation as stated,\n                                                      which will ensure that all PCAs over security\nWHAT TIGTA FOUND                                      weaknesses are implemented as reported. In\nThe Chief Financial Officer\xe2\x80\x99s Office of Internal      addition, the IRS will be in compliance with the\nControl administers the IRS\xe2\x80\x99s management              Department of the Treasury\xe2\x80\x99s mandate to upload\ncontrol program and is responsible for entering,      supporting documentation to the JAMES.\nmonitoring, and tracking audit report findings,\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 27, 2013\n\n\n MEMORANDUM FOR CHIEF FINANCIAL OFFICER AND CHIEF TECHNOLOGY\n                OFFICER\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Improved Controls Are Needed to Ensure That\n                             All Planned Corrective Actions for Security Weaknesses Are Fully\n                             Implemented to Protect Taxpayer Data (Audit #201320028)\n\n This report presents the results of our review to determine whether closed corrective actions to\n security weaknesses and findings reported by the Treasury Inspector General for Tax\n Administration in prior audits have been fully implemented, validated, and documented as\n implemented. We conducted this audit as part of our statutory requirement to annually review\n the adequacy and security of Internal Revenue Service technology. This review addresses the\n major management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the Internal Revenue Service managers affected by the\n report recommendations. If you have any questions, please contact me or Alan R. Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services).\n\x0c                                  Improved Controls Are Needed to Ensure That\n                            All Planned Corrective Actions for Security Weaknesses\n                                Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 3\n          Weakened Management Controls Contributed to\n          Information Security Planned Corrective Actions That\n          Were Not Fully Implemented ....................................................................... Page 3\n                    Recommendations 1 and 2: .............................................. Page 9\n\n                    Recommendations 3 through 5:......................................... Page 10\n\n                    Recommendation 6:........................................................ Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 15\n          Appendix IV \xe2\x80\x93 Assessment of Eight Planned Corrective Actions\n          That Were Not Fully Implemented ............................................................... Page 16\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 20\n\x0c              Improved Controls Are Needed to Ensure That\n        All Planned Corrective Actions for Security Weaknesses\n            Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                     Abbreviations\n\nCDW           Compliance Data Warehouse\nCFO           Chief Financial Officer\nCTO           Chief Technology Officer\nGAO           Government Accountability Office\nIRM           Internal Revenue Manual\nIRS           Internal Revenue Service\nISR           Infrastructure Security and Reviews\nJAC           JAMES Audit Coordinators\nJAMES         Joint Audit Management Enterprise System\nOIC           Office of Internal Control\nPCA           Planned Corrective Actions\nPOA&M         Plan of Action and Milestones\nRAS           Research, Analysis, and Statistics\nTIGTA         Treasury Inspector General for Tax Administration\n\x0c                                Improved Controls Are Needed to Ensure That\n                          All Planned Corrective Actions for Security Weaknesses\n                              Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                         Background\n\nInternal controls, which are synonymous with management controls, are a major part of\nmanaging an organization. They comprise the plans, methods, and procedures used to meet\nmissions, goals, and objectives; and in doing so, they support performance-based management.\nThey also serve as the first line of defense in safeguarding assets and preventing and detecting\nerrors and fraud. They help government program managers achieve desired results through\neffective stewardship of public resources. Systems of internal control provide reasonable\nassurance that the following objectives are being achieved: 1) effectiveness and efficiency of\noperations, 2) reliability of financial reporting, and 3) compliance with applicable laws and\nregulations.\nThe Department of the Treasury implemented the Joint Audit Management Enterprise System\n(JAMES) for use by all bureaus to track, monitor, and report the status of internal control audit\nresults. The JAMES tracks specific information on issues, findings, recommendations, and\nplanned corrective actions (PCA) from audit reports issued by the Government Accountability\nOffice (GAO), the Treasury Inspector General for Tax Administration (TIGTA), and the\nTreasury Office of Inspector General. The Department of the Treasury uses this information to\nassess the effectiveness and progress of bureaus in correcting their internal control deficiencies\nand implementing audit recommendations. The JAMES also allows bureau users to run reports\nto assess the effectiveness of their programs. Tracking issues, findings, recommendations, and\nthe current status of the PCAs is mandatory to comply with the intent of the standard of internal\ncontrol, the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982,1 Office of Management and\nBudget Circulars, and Treasury Directives.\nAt the Internal Revenue Service (IRS), the Chief Financial Officer\xe2\x80\x99s (CFO) Corporate Planning\nand Internal Control Unit, specifically the Office of Internal Control (OIC), administers the\nmanagement control program. The OIC\xe2\x80\x99s primary responsibilities include entering, monitoring,\nand tracking audit report findings, recommendations, and PCAs in the JAMES and reviewing\nand validating all status updates entered into the JAMES by the JAMES Audit Coordinators\n(JAC). The JACs, who are selected from IRS functions, are responsible for assisting\nmanagement with the internal control program and serving as their function\xe2\x80\x99s primary liaison\nwith the OIC.\n\n\n\n\n1\n    31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, and 3512.\n                                                                                            Page 1\n\x0c                             Improved Controls Are Needed to Ensure That\n                       All Planned Corrective Actions for Security Weaknesses\n                           Are Fully Implemented to Protect Taxpayer Data\n\n\n\nThe JACs also assist management with meeting their reporting requirements under the Federal\nManagers\xe2\x80\x99 Financial Integrity Act, the Federal Financial Management Improvement Act of\n1996,2 and other audit reporting requirements. The JACs ensure that the most current status of\naction plans are posted in the JAMES and that PCAs are timely implemented. The JAC\xe2\x80\x99s\nprimary responsibilities include preparing and submitting verification of the completion of the\nPCAs to the OIC; maintaining complete audit files to include documentation of corrective\nactions taken, executive certification of status updates, and concurrence memoranda; monitoring\nand updating the status of the PCAs; and uploading and entering all implemented status updates\nand supporting documentation in the JAMES.\nAlthough the IRS has implemented this reporting and tracking process to evaluate and track\ncorrective actions and address previously reported weaknesses, the GAO reported in\nMarch 20123 and in March 20134 that the IRS did not promptly correct known security\nvulnerabilities and that its process was not always working as intended.\nThis review was performed at the offices of the CFO and the Chief Technology Officer (CTO) in\nWashington, D.C., New Carrollton, Maryland, and Memphis, Tennessee, during the period\nFebruary through July 2013. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. Detailed\ninformation on our audit objective, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n2\n  Pub. L. No. 104-208, 110 Stat. 3009.\n3\n  GAO, GAO-12-393, IRS Needs to Further Enhance Internal Control over Financial Reporting and Taxpayer Data\np.23 (March 16, 2012).\n4\n  GAO, GAO-13-350, IRS Has Improved Controls but needs to Resolve Weaknesses p.19 (March 15, 2013).\n                                                                                                   Page 2\n\x0c                              Improved Controls Are Needed to Ensure That\n                        All Planned Corrective Actions for Security Weaknesses\n                            Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                      Results of Review\n\nOn April 26, 2013, the OIC took a major step to strengthen the IRS\xe2\x80\x99s management control\nprogram by publishing the new Internal Revenue Manual (IRM), 1.4.30, Monitoring Internal\nControl Planned Corrective Actions, to strengthen existing policies and procedures on internal\ncontrols. The OIC previously issued guidance, Reporting Procedures for Management Controls\nCoordinators, on May 25, 2004. However, this guidance was not sufficient to result in a process\nthat was effective in supporting the management control program.\n\nWeakened Management Controls Contributed to Information Security\nPlanned Corrective Actions That Were Not Fully Implemented\nTo assess the effectiveness of the IRS\xe2\x80\x99s internal control program, we selected for review a\njudgmental sample5 of 19 PCAs for security weaknesses reported by TIGTA that had been closed\nas completed.6 Our analysis showed that eight (42 percent) PCAs had not been fully\nimplemented and should not have been closed. All eight PCAs involve systems containing\ntaxpayer data. Examples of corrective actions that were not fully implemented include servers\nnot being scanned for critical and major vulnerabilities, such as default and blank passwords;\ndatabases without the latest software updates; and user accounts with long periods of inactivity\nthat were not locked. The causes for these conditions include the IRS changing the scanning tool\nfor its systems, which required additional time for organizational approval and the need to ensure\nthat useable information was generated by those tools; systems development constraints; and the\nneed for the IRS to minimize the impact of system changes to its users. As a result, the IRS is\nincreasing its exposure to risk for malicious users exploiting accounts with default or blank\npasswords to steal taxpayer identities and carry out fraud schemes. The IRS is also increasing its\nsusceptibility to performance and security weaknesses inherent in older software versions, its\nexposure of taxpayer data to unauthorized disclosure, and its exposure to disruptions of system\noperations. Appendix IV provides the details of our assessment of the eight closed PCAs that\nwere partially implemented.\nThe IRS has specific guidance over its internal control program. The OIC prior guidance\nrequires that proper documentation is maintained to verify implementation of a corrective action.\nThe recently issued IRM 1.4.30 requires all supporting documentation to be uploaded and stored\nin the JAMES, along with a completed, signed, and dated Form 13872, Planned Corrective\n\n\n5\n A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n6\n We conducted site visits and performed system accesses of IRS computer systems located in Memphis, Tennessee,\nand the Washington, D.C., and New Carrollton, Maryland, areas.\n                                                                                                          Page 3\n\x0c                              Improved Controls Are Needed to Ensure That\n                        All Planned Corrective Actions for Security Weaknesses\n                            Are Fully Implemented to Protect Taxpayer Data\n\n\n\nAction Status Update for TIGTA/GAO/MW/SD/TAS/REM Reports,7 or other executive\ncertification. The prior guidance and IRM necessitate that the OIC reject the status of a\ncorrective action if signatures are not received, missing, or invalid. Prior to the newly issued\nmanual, a draft version of these requirements was forwarded to IRS business functions as early\nas July 2012. This IRM, along with the OIC\xe2\x80\x99s prior guidance, further require the JACs to\nmaintain complete audit files to include documentation of corrective actions taken, certification\nof status updates via executive\xe2\x80\x99s e-mail or electronic signature, and concurrence memoranda.\nAlso, three of the IRS\xe2\x80\x99s larger business divisions8 have their own respective IRMs, which some\nsmaller IRS business functions use for guidance. These IRMs require the same process and level\nof documentation and maintenance.\nAdditionally, the GAO Standards for Internal Control in the Federal Government9 provide that\nall transactions and other significant events need to be clearly documented and the\ndocumentation should be readily available for examination. In addition, all documentation and\nrecords should be properly managed and maintained. The standards also provide that key duties\nand responsibilities need to be divided or segregated among different people to reduce the risk of\nerror or fraud. This includes separating the responsibilities for authorizing transactions,\nprocessing and recording them, reviewing them, and handling any related assets. No one\nindividual should control all key aspects of a transaction or event. The separation of duties\nrequirement is also addressed in IRM 10.8.1, Information Technology Security Policy and\nGuidance, which specifically provides that an employee may simultaneously hold more than one\nrole; however, while performing the duties of one role, that role shall not be used to perform the\nduties of another. Each role is to be independent of the other.\nFor the eight PCAs that were not fully implemented and should not have been closed, we found\nthe following internal control deficiencies.\n    \xef\x82\xb7   In three PCAs, we were not provided any documentation to support the closure of the\n        corrective action. For the remaining five PCAs, the supporting documentation did not\n        fully support the closed corrective action.\n    \xef\x82\xb7   In four PCAs, the Form 13872 or equivalent did not include the appropriate executive\n        approval. In two, we identified a separation of duties weakness. The JAC, whose\n        primary responsibility includes preparing and submitting verification of the completion of\n        the PCAs, signed as the executive approving the closure.\n\n\n\n7\n  The definition of the acronyms in the title of Form 13872 that are not self-explanatory are MW for material\nweakness; SD for significant deficiency; TAS for Taxpayer Advocate Service; and REM for remediation plan.\n8\n  The three larger divisions are the Large Business and International, Wage and Investment, and Small Business/\nSelf-Employed Business Divisions.\n9\n  Government Accountability Office (formerly known as the General Accounting Office), GAO/AIMD-00-21.3.1,\nInternal Control: Standards for Internal Control in the Federal Government (Nov. 1999).\n                                                                                                         Page 4\n\x0c                           Improved Controls Are Needed to Ensure That\n                     All Planned Corrective Actions for Security Weaknesses\n                         Are Fully Implemented to Protect Taxpayer Data\n\n\n\n   \xef\x82\xb7   In all eight PCAs, the OIC did not audit the corrective actions to ensure their\n       implementation and proper closure.\nBecause the exception sample size of eight PCAs was relatively small, we conducted an\nassessment of these internal control deficiencies on a larger sample from the entire population of\nPCAs for security weaknesses reported by TIGTA to provide a better perspective. As such, we\nconducted further tests of a population of 147 PCAs for security weaknesses reported by TIGTA\nthat were closed from October 2008 through December 2012. In addition, we selected a\njudgmental sample of 69 PCAs to determine whether the IRS was compliant with the previously\nmentioned procedures and standards.\n\nDocumentation did not fully support the closure of the PCAs\nThrough the JAMES, we analyzed documents that were available on the system and, when\nnecessary, requested additional supporting documentation from the JACs and business functions\nto determine if closures of the 69 PCAs were supported. Our assessment is presented in\nFigure 1, followed by additional details about the results of our analysis.\n                          Figure 1: Assessment of Supporting\n                         Documentation for the 69 Sampled PCAs\n\n\n\n\n       Source: TIGTA analysis of the 69 sampled PCAs.\n\n   \xef\x82\xb7   22 (32 percent) did not support the closure of the PCAs. Some of the reasons the PCAs\n       were not supported included supporting documentation was not maintained in the\n       JAMES or with the office responsible for implementing the PCAs; supporting\n       documentation was maintained on only one computer that crashed and no other copies\n       exist; supporting documentation, according to the IRS, was not needed because the PCA\n       was closed during the course of the audit and the weakness did not need to be tracked in\n\n                                                                                            Page 5\n\x0c                          Improved Controls Are Needed to Ensure That\n                    All Planned Corrective Actions for Security Weaknesses\n                        Are Fully Implemented to Protect Taxpayer Data\n\n\n\n       the JAMES; and the supporting documentation was only the Form 13872. Typically, the\n       Form 13872 provides the same information from the IRS\xe2\x80\x99s management response to\n       TIGTA\xe2\x80\x99s draft reports, but written in past tense with specific actions taken.\n   \xef\x82\xb7   23 (33 percent) partially supported the closure of the PCAs. For these, the supporting\n       documentation for all steps or actions as stated in the PCAs was requested, but it was not\n       provided.\n   \xef\x82\xb7   24 (35 percent) fully supported the closure of the PCAs.\n\nSupporting documentation was not uploaded to the JAMES\nOn November 1, 2010, the Department of the Treasury mandated that its bureaus upload\nsupporting documentation to the JAMES. Prior to that date, Treasury bureaus, including the\nIRS, were not required to upload any supporting documentation when the PCAs were closed.\nWhile supporting documentation was required to be uploaded to the JAMES, the OIC only\nenforced uploading the Form 13872. For the 69 judgmental sampled PCAs, 11 were closed after\nthe mandate. The IRS did not upload any additional documentation supporting the\nimplementation of the corrective action for nine of 11 PCAs.\nOne of the nine PCAs related to a corrective action that was superceded; however, there was no\ndocumentation in the JAMES that readily provided a reference to the new PCA. Generally, the\nPCAs are superceded when the same or similar recommendations are made for previously\nidentified and reported weaknesses. We presented our concern with the superceded PCAs to\nOIC management. They acknowledged there is no reference to the new PCA but also cautioned\nthat the number of superceded PCAs is minimal. Therefore, they agreed to implement a process\nthat will include inputting reference information into the PCA record and uploading source\ndocuments to the JAMES. As a result of their actions, TIGTA will not make a recommendation\nfor superceded PCAs.\nDespite established requirements, we identified several factors contributing to why supporting\ndocumentation was not uploaded to the JAMES.\n   \xef\x82\xb7   There is no one definitive source for guidance. While the OIC has guidance, last issued\n       on May 25, 2004, they are not widely known or used by the business functions. The OIC\n       did not establish a Service-wide IRM over the JAMES internal control process until\n       April 2013. While some IRS business functions have referenced existing IRM guidance\n       from other business divisions on the internal control process, others have established their\n       own standard operating procedures over the management control procedures that differ\n       slightly.\n   \xef\x82\xb7   The OIC did not consistently enforce existing requirements for supporting documentation\n       to be maintained by the JACs and for it to be uploaded to the JAMES. For example, the\n       OIC required that only Form 13872 be uploaded to the JAMES despite established\n\n                                                                                            Page 6\n\x0c                           Improved Controls Are Needed to Ensure That\n                     All Planned Corrective Actions for Security Weaknesses\n                         Are Fully Implemented to Protect Taxpayer Data\n\n\n\n       requirements from the business functions and the OIC\xe2\x80\x99s draft IRMs for all supporting\n       documentation. Prior to the publication of the new IRM, OIC personnel stated that they\n       could not enforce the supporting documentation requirement on the business functions\n       until their IRM was issued.\n   \xef\x82\xb7   The Department of the Treasury mandates supporting documentation be uploaded to the\n       JAMES but does not define supporting documentation because each bureau is unique and\n       it wanted to offer them the flexibility to make that decision.\n   \xef\x82\xb7   The OIC does not always validate whether each PCA was implemented. OIC personnel\n       will validate updates to the IRM and the language on the Form 13872 to ensure that the\n       corrective action addresses the weakness and finding.\n\nSupporting documentation did not include appropriate executive approval\nFrom our population of 147 security-related PCAs where a Form 13872 or equivalent was\navailable, we found that 30 (50 percent) of 60 PCAs were signed by an executive not responsible\nfor correcting the weaknesses. The executives signing as the approving official were CTO\nProgram Oversight managers over the JACs with no delegated responsibility for signing. One\nmanager stated that his or her signature only attested to the language in the corrective action\nnarrative on the Form 13872 that addressed the PCA and not a validation of the actions taken. In\na further analysis of the 30 PCAs, we determined that the Form 13872 in 15 (50 percent)\ncontained a typed name that was not associated with the originating e-mail from the executive.\nA typed name approval is acceptable if the form is associated with the originating e-mail from\nthe executive, but the e-mails were never retained. In addition, 11 (37 percent) of the 30 PCAs\nappeared to have a conflict with separation of duties. The CTO JAC who signed the Form 13872\nalso signed as the approving official.\nTo account for executive review and approval, the Cybersecurity office created an equivalent\ntemplate to the Form 13872. As stated earlier, a typed name is acceptable if associated with the\noriginating e-mail from the executive. Early this year, the CTO office, recognizing this\ndeficiency, created a new signature line for executives responsible for the corrective actions to\nsign on the Form 13872. This process was unnecessary because the requirement already exists\non the form in the \xe2\x80\x9capproving official\xe2\x80\x9d box. Also, the OIC does not validate the signatures on\nthe form despite it being a requirement in its recently issued IRM, and its prior guidance to reject\nthe status of a corrective action if the executive certification is missing, invalid, or not received.\nThe OIC stated that it reviews the forms for a signature and that validation of the signature is the\nresponsibility of the JACs.\nThe conditions existed in the CTO office because responsibilities changed when duties were\nreassigned or transferred from one employee to another or due to organizational changes. For\nexample, prior to the organizational transfer of responsibilities from the Cybersecurity office to\nthe Program Oversight office, executives responsible for implementing the corrective actions\n\n                                                                                               Page 7\n\x0c                             Improved Controls Are Needed to Ensure That\n                       All Planned Corrective Actions for Security Weaknesses\n                           Are Fully Implemented to Protect Taxpayer Data\n\n\n\nwere required to sign the Form 13872 before sending it to the OIC. After the transfer of\nresponsibility, the Program Oversight manager signed the form, approving that the corrective\nactions supported the PCA, before it was uploaded to the JAMES. We were concerned with this\nprocess because the manager was attesting to the language in the corrective action narrative that\naddressed the PCA rather than a validation of the actions taken.\n\nClosed corrective actions were not audited to ensure their implementation\nAs part of its roles and responsibilities, the OIC, which administers the IRS\xe2\x80\x99s management\ncontrol program, has the responsibility for auditing corrective actions. The OIC did not audit\ncorrective actions as required. During our discussions, the OIC cited concerns with\nimplementing this responsibility due to lack of expertise.\nOur analysis identified the PCAs that were prematurely closed, which illustrates the importance\nof the audits to ensure proper implementation. For example, in one report,10 TIGTA\nrecommended that database security control weaknesses identified during the review be\nremediated. The PCA stated that the weaknesses will be placed into a Plan of Action and\nMilestones (POA&M), while giving priority to correcting or mitigating high-risk weaknesses.\nAs the PCA implies, not all weaknesses identified during the audit were remediated, but the PCA\nwas closed as implemented. In a TIGTA follow-up review on database security controls, 11 we\ncould not determine if all weaknesses were tracked, addressed, or closed for this PCA. As such,\nwe made the same recommendation that all identified vulnerabilities be remediated.\nWithout an effective management control process, the CFO cannot be assured that the\nmanagement control program is operating as intended. When this happens, the IRS cannot\nassure its stakeholders, which include the Department of the Treasury, that the PCAs were\nimplemented as reported in correcting security vulnerabilities. The IRS is subject to reviews of\nthe JAMES information by the Department of the Treasury and may not be able to support the\ncorrective actions taken or that they were fully implemented. When reviews occur, the IRS\nwould provide a weakened assurance that corrective actions in the JAMES have been completed\nand that an executive responsible for implementing the corrective action is attesting to the\nactions taken as stated on the Form 13872.\nMoreover, without a central repository, supporting documentation could be unavailable and lost,\nand much time and resources could be spent locating documentation to support the PCAs, as was\nexperienced during our audit. Our request to obtain supporting documentation took months\nbefore the IRS fully exhausted its resources to provide some of the documentation. In addition,\nfrom a security perspective, the lack of fully effective compensating and mitigating controls\n\n\n10\n   TIGTA, Ref. No. 2007-20-129, Standard Database Security Configurations Are Adequate, Although Much Work\nIs Needed to Ensure Proper Implementation p. 7 (Aug. 2007).\n11\n   TIGTA, Ref. No. 2011-20-044, Security Over Databases Could Be Enhanced to Ensure Taxpayer Data Are\nProtected p. 4 (May 2011).\n                                                                                                    Page 8\n\x0c                           Improved Controls Are Needed to Ensure That\n                     All Planned Corrective Actions for Security Weaknesses\n                         Are Fully Implemented to Protect Taxpayer Data\n\n\n\nimpair the IRS\xe2\x80\x99s ability to ensure that its financial and taxpayer information is secure from\ninternal and external threats. This reduces the IRS\xe2\x80\x99s assurance that its financial statement and\ninformation are fairly presented or reliable and that sensitive IRS and taxpayer information is\nsufficiently safeguarded from unauthorized disclosure, modification, and external intrusions.\n\nRecommendations\nWe recommended that the Chief Financial Officer should:\nRecommendation 1: Issue a memorandum to all business functions emphasizing the new\nIRM to ensure that all adhere to the requirements governing the internal control process for the\nJAMES. These requirements include: 1) uploading all documents supporting the status of,\ncorrective actions taken on, and closure of the corrective action to the JAMES for both past,\nbeginning November 1, 2010, and present PCAs; at a minimum, supporting documentation\nshould be uploaded for corrective actions to security weaknesses and 2) certification by the\nexecutive responsible for the corrective action on its status updates and completion.\n       Management\xe2\x80\x99s Response: IRS management partially agreed with this\n       recommendation. The CFO will issue a memorandum to all business units emphasizing\n       adherence to the OIC IRM to ensure that requirements governing the internal control\n       process for the JAMES, with respect to maintaining supporting documents for current\n       closures and executive certification, are met. The CFO will work with the business units\n       to assess the level of effort and cost/benefit to be derived from uploading documentation\n       into the JAMES for previously closed corrective actions. The OIC will issue guidance\n       following a risk-based approach for complying with the retroactive aspects of this\n       recommendation, as appropriate.\n       Office of Audit Comment: The IRS management\xe2\x80\x99s response addresses our\n       recommendation as it pertains to new closures of corrective action, but may not\n       necessarily address previously closed corrective actions. As previously noted, our audit\n       found only 24 (35 percent) of 69 closed corrective actions were fully supported with\n       adequate documentation. While we recognize the potential resource commitment needed\n       to fully implement our recommendation, we believe the IRS should complete our\n       recommendation as stated, which will ensure that all corrective actions over security\n       weaknesses are implemented as reported. In addition, fully implementing our\n       recommendation will ensure that the IRS is in compliance with the Department of the\n       Treasury\xe2\x80\x99s mandate to upload supporting documentation to the JAMES.\nRecommendation 2: Coordinate with business function executives to ensure that their\nexisting guidance for the JAMES internal control process aligns with the new OIC IRM.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       CFO will issue a memorandum to all business unit executives advising them that 1) their\n\n                                                                                            Page 9\n\x0c                           Improved Controls Are Needed to Ensure That\n                     All Planned Corrective Actions for Security Weaknesses\n                         Are Fully Implemented to Protect Taxpayer Data\n\n\n\n       existing guidance for the JAMES internal control process must be aligned with the new\n       OIC IRM, as appropriate and 2) their revisions should be included in their next scheduled\n       IRM update to comply with this corrective action.\nRecommendation 3: Provide refresher training to all JACs and other IRS personnel who\nperform similar duties as the JAC over the JAMES internal control process and documentation\nrequirements as a result of our findings and issuance of the new IRM.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       CFO will develop a program to provide refresher training to all JACs and other IRS\n       personnel who perform similar duties as the JACs over the JAMES internal control\n       process and documentation requirements.\nRecommendation 4: Ensure that those who sign the Form 13872 as the JAC do not also sign\nas the approving official to comply with proper separation of duties standards.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       OIC is now verifying that those who sign the Form 13872 as the JAC do not also sign as\n       the approving official. The CFO will also issue a memorandum to all business unit\n       executives advising them that proper separation of duties standards must be adhered to in\n       approving the closure of corrective actions.\nRecommendation 5: Audit the IRS\xe2\x80\x99s completed corrective actions to findings and\nweaknesses that result from external audit agencies\xe2\x80\x99 issued reports beginning with those TIGTA\nidentified as partially implemented once they are fully implemented. This action will assist with\nproviding assurance that the PCAs are fully implemented, sufficient documentation is maintained\nin the JAMES, and the appropriate signatures are on the required documents. We recognize the\npotential resource commitment needed to audit these completed corrective actions and suggest\nthat this action can be done periodically, at least annually, by conducting a statistical sample of\nthe completed corrective actions. The results can be shared with the respective business\nfunctions.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       OIC will develop a program to formally audit completed corrective actions annually if\n       adequate resources can be identified. Under this program, the OIC will evaluate the use\n       of statistical sampling techniques and determine the appropriate number of completed\n       corrective actions to be reviewed. These reviews will be conducted with the business\n       units, and the results will be shared with them.\n       Office of Audit Comment: The IRS management\xe2\x80\x99s response outlined a plan to audit\n       completed corrective actions; however, its implementation appears to be contingent upon\n       identifying adequate resources. While we recognize the potential resource commitment\n       needed to fully implement our recommendation, we encourage the IRS to complete our\n\n\n                                                                                          Page 10\n\x0c                          Improved Controls Are Needed to Ensure That\n                    All Planned Corrective Actions for Security Weaknesses\n                        Are Fully Implemented to Protect Taxpayer Data\n\n\n\n       recommendation as stated, which will provide better assurance that corrective actions in\n       the JAMES have been completed.\nWe also recommended that the CTO, the Director, Office of Research, Analysis, and\nStatistics (RAS), and the Commissioner, Wage and Investment Division, should:\nRecommendation 6: Coordinate with the OIC and the Department of the Treasury, Office of\nthe Deputy CFO, Risk and Control Group, to change the PCA status from closed to open on the\nJAMES for the corrective actions TIGTA identified as partially implemented in Appendix IV.\nThe status of these PCAs should remain open until they are fully implemented as agreed to in the\nprior TIGTA reports.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation. The\n       CFO will work with the appropriate business units and the Department of the Treasury to\n       reopen seven previously closed corrective actions to establish new corrective actions that\n       fulfill the original audit recommendations. The new corrective actions will remain open\n       until fully implemented. The CFO will work with TIGTA and the appropriate business\n       unit on the one remaining closed corrective action to determine whether or not it has been\n       fully implemented.\n\n\n\n\n                                                                                         Page 11\n\x0c                                 Improved Controls Are Needed to Ensure That\n                           All Planned Corrective Actions for Security Weaknesses\n                               Are Fully Implemented to Protect Taxpayer Data\n\n\n\n                                                                                                      Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether closed corrective actions to\nsecurity weaknesses and findings reported by the TIGTA in prior audits have been fully\nimplemented, validated, and documented as implemented. To accomplish our objective, we:\nI.         Determined whether the IRS, specifically the offices of the CFO and the CTO, have an\n           effective process and are complying with the requirements for closing completed PCAs.\n           A. Identified and reviewed policies, procedures, and guidelines related to the\n              identification, tracking, and closing of the PCAs reported in the JAMES.\n           B. Interviewed OIC and JAC personnel to document and assess the procedures and their\n              responsibilities over the JAMES process and to determine the cause when\n              discrepancies were identified.\n           C. Researched the IRM and IRS guidance to determine whether other policies,\n              procedures, and guidelines exist regarding the closure of findings and the PCAs\n              tracked on IRS systems that could augment and improve the closing actions of\n              findings and recommendations within the JAMES process.\nII.        Determined whether the PCAs were fully implemented, validated, and documented as\n           implemented.\n           A. Selected a judgmental sample1 of 69 from 147 closed and implemented PCAs from\n              the JAMES for the period October 2008 through December 2012. We used a\n              judgmental sample because we were not projecting the review results.\n           B. Determined whether the sample of closed security weaknesses, findings, and PCAs\n              were fully closed. Specifically, we determined whether:\n                1. Supporting documents, Form 13872, Planned Corrective Action Status Update for\n                   TIGTA/GAO/MW/AD/TAS/REM Reports, and other supporting documentation\n                   were uploaded in the JAMES.\n                2. Form 13872 contained an executive signature related to the business unit\n                   responsible for the corrective action.\n                3. Documentation supported implementation of the PCA and the closure of the\n                   weakness.\n\n1\n    A judgmental sample is a nonstatistical sample, the results of which cannot be projected to the population.\n                                                                                                              Page 12\n\x0c                          Improved Controls Are Needed to Ensure That\n                    All Planned Corrective Actions for Security Weaknesses\n                        Are Fully Implemented to Protect Taxpayer Data\n\n\n\n           4. Physical testing of the system to ensure that the PCAs had been fully\n              implemented. We selected a judgmental sample of 19 closed and implemented\n              PCAs for validation. We used a judgmental sample because we were not\n              projecting the review results and due to budget constraints from the Federal\n              Government sequestration.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: the OIC\xe2\x80\x99s policies, procedures, and\npractices for the identification, tracking, and closing of the PCAs reported in the JAMES. We\nevaluated these controls by interviewing OIC management and employees and the JACs,\nreviewing documents supporting the closure of the PCAs, and physically validating the PCAs.\n\n\n\n\n                                                                                        Page 13\n\x0c                         Improved Controls Are Needed to Ensure That\n                   All Planned Corrective Actions for Security Weaknesses\n                       Are Fully Implemented to Protect Taxpayer Data\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nDeborah Smallwood, Audit Manager\nLouis Lee, Lead Auditor\nCindy Harris, Senior Auditor\nMichael Mohrman, Information Technology Specialist\n\n\n\n\n                                                                                     Page 14\n\x0c                         Improved Controls Are Needed to Ensure That\n                   All Planned Corrective Actions for Security Weaknesses\n                       Are Fully Implemented to Protect Taxpayer Data\n\n\n\n                                                                    Appendix III\n\n                         Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nOffice of the Deputy Commissioner for Services and Enforcement SE\nCommissioner, Small Business/Self-Employed Division SE:S\nCommissioner, Wage and Investment Division SE:W\nDirector, Office of Research, Analysis, and Statistics RAS\nDirector, Risk Management Division OS:CTO:SP:RM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Financial Officer OS:CFO\n       Chief Technology Officer OS:CTO\n       Commissioner, Small Business/Self-Employed Division SE:S\n       Commissioner, Wage and Investment Division SE:W\n       Director, Office of Research, Analysis, and Statistics RAS\n\n\n\n\n                                                                          Page 15\n\x0c                                  Improved Controls Are Needed to Ensure That\n                            All Planned Corrective Actions for Security Weaknesses\n                                Are Fully Implemented to Protect Taxpayer Data\n\n\n\n                                                                                                           Appendix IV\n\n        Assessment of Eight Planned Corrective Actions\n              That Were Not Fully Implemented\n\n  Weaknesses\n From Issued                                                        Planned                        TIGTA\xe2\x80\x99s Assessment:\n Audit Reports             Recommendations                      Corrective Actions              Corrective Actions Not Taken\nRef. No.             The Chief Information Officer        Cybersecurity\xe2\x80\x99s Computer Security    Implementation: Partial\n2008-20-029          should expand the criteria used      Incident Response Center will\n                     for scanning IRS databases for the   implement and expand a quarterly     The IRS is using the Guardium\nPCA 1-3-11           presence of administrator            database scanning component to its   scanning tool, rather than DBProtect.\n                     accounts with default or blank       vulnerability management             Guardium scans are set for critical,\nDatabase Accounts                                                                              major, and patch-level vulnerabilities,\nWith Default or      passwords.                           program. Application Security\n                                                          Inc.\xe2\x80\x99s DBProtect2 will be used.      which include default and blank\nBlank Passwords                                                                                passwords. Currently, the IRS is\nContinue to Be                                                                                 scanning only Enterprise Operations\nFound                                                                                          servers; Windows SQL servers are\n                                                                                               not yet being scanned. As was\n                                                                                               reported in the 2008-20-029 report,\n                                                                                               the IRS is still not scanning all IRS\n                                                                                               databases.\nRef. No.             The Director, Office of RAS,         The Office of RAS has disabled       Implementation: Partial\n2008-20-176          should require system                accounts that have not been\n                     administrators and their managers    accessed in more than 45 days on     The Office of RAS is not identifying\nPCA 1-2-1            to:                                  the Compliance Data Warehouse        accounts with inactivity on the CDW\n                                                          (CDW) system and will continue to    because it does not have an automatic\nThe Office of RAS     \xe2\x80\xa2 Disable accounts that have not                                         script to identify the inactivity. It will\nNeeds to Implement                                        follow this practice. It will also\n                        been accessed in more than        develop and implement a policy of    need to reprogram the CDW so that\nAdequate Security       45 calendar days.                                                      locking a user\xe2\x80\x99s UNIX account, used\nControls                                                  removing accounts on the CDW\n                                                          that have not been used in more      to access the CDW, does not affect or\n                      \xe2\x80\xa2 Remove accounts that have                                              prevent the user from accessing other\n                        not been used in more than        than 90 days.\n                                                                                               applications residing on this platform.\n                        90 calendar days.                                                      The Office of RAS will be working\n                                                                                               on this problem.\n\n\n\n\n   1\n     The PCA reference number used throughout Appendix IV consists of three numbers which coincide with\n   information from the referenced audit report. The first number accounts for the placement of the finding in the\n   report, the second number is the report\xe2\x80\x99s recommendation number, and the third number is the IRS\xe2\x80\x99s corrective\n   action for that recommendation, which is from the management response to the audit report.\n   2\n     DBProtect is a precision database security and compliance solution that helps organizations control their database\n   security processes and streamlines key database security activities while enabling organizations to achieve database\n   security, minimize risk, and achieve regulatory compliance.\n                                                                                                                        Page 16\n\x0c                                  Improved Controls Are Needed to Ensure That\n                            All Planned Corrective Actions for Security Weaknesses\n                                Are Fully Implemented to Protect Taxpayer Data\n\n\n\n  Weaknesses\n From Issued                                                          Planned                          TIGTA\xe2\x80\x99s Assessment:\n Audit Reports             Recommendations                        Corrective Actions                Corrective Actions Not Taken\nRef. No.             The Director, Office of RAS,          The Office of RAS will use              Implementation: Partial\n2008-20-176          should remind managers to             Online 5081 records to validate\n                     periodically review Form 5081,        that system access is granted on a      TIGTA reviewed the employees\xe2\x80\x99\nPCA 1-4-1            Information System User               need-to-know basis. IRS users will      Online 5081 of one manager and\n                                                           not be granted access without first     found that all were contractors.\nThe Office of RAS    Registration/Change Request,\n                                                                                                   TIGTA verified that all but one\nNeeds to Implement   records to validate that access to    receiving favorable background\n                     systems is limited to only those      clearances.                             contractor had a valid background\nAdequate Security                                                                                  investigation indicator on the Online\nControls             who have a need. Managers\n                     should also be reminded to verify                                             5081 system. TIGTA received\n                     that potential users have received                                            verification of a background approval\n                     favorable background                                                          letter for the contractor, but the\n                     investigations before granting                                                manager provided system access\n                     them access to systems.                                                       without knowledge that the\n                                                                                                   background investigation had been\n                                                                                                   approved. The approval letter was\n                                                                                                   obtained from the Contracting Officer\n                                                                                                   Representative, not from the manager\n                                                                                                   approving access.\nRef. No.             The Director, Office of RAS,          The audit logs will now be retained     Implementation: Partial\n2008-20-176          should ensure that audit and          for six years, and the security\n                     accountability controls are           officer designated will perform         On June 12, 2013, TIGTA requested\nPCA 1-5-1            sufficient by requiring audit logs    these reviews.                          follow-up documentation of audit log\n                     to be maintained a minimum of                                                 reviews for Office of RAS systems,\nThe Office of RAS                                                                                  the YK1 Link Analysis Tool, the\nNeeds to Implement   six years and to be periodically\n                     reviewed by the security officer.                                             Statistics of Income Distributed\nAdequate Security                                                                                  Processing System, and the CDW but\nControls                                                                                           has yet to receive them.\nRef. No.             The CTO should ensure that all        The Modernization and                   Implementation: Partial\n2009-20-120          backup data are properly              Information Technology Services\n                     protected from unauthorized           organization (currently the             The IRS no longer has private vendor\nPCA 1-2-1            access and disclosure.                Information Technology                  off-site storage facilities. Backup\n                     Specifically, IRS offices should      organization) will ensure that          media is sent to the other campuses or\nAlthough Controls                                                                                  computing centers. IRS personnel\nHave Improved,       1) conduct annual inventory           backup media is properly protected\n                     reconciliations of stored backup      from unauthorized access and            stated the annual inventory\nAdditional Steps                                                                                   reconciliation is conducted between\nCould Be Taken to    media at all off-site storage         disclosure by ensuring that media\n                     facilities in accordance with IRS     management controls and                 the facilities; however, the\nExpand the                                                                                         reconciliation is not documented\nReporting of         policy and 2) validate lists of IRS   encryption are in place. In\n                     employees authorized to access        addition, it will follow policies and   unless a discrepancy is identified.\nIncidents and the                                                                                  Backup media controls and\nProtection of        the backup data at off-site storage   procedures for sending and\n                     facilities when changes occur or      maintaining backup data to              encryption are in place.\nSensitive Data\nDescription          at least annually.                    designated off-site storage\n                                                           facilities, schedule and conduct\n                                                           regular off-site storage facility\n                                                           reconciliations as documented in\n                                                           IRM 2.7.5, and validate the\n                                                           authorized access list with the\n                                                           Contracting Officer Representative\n                                                           on an annual basis.\n\n\n\n\n                                                                                                                         Page 17\n\x0c                                     Improved Controls Are Needed to Ensure That\n                               All Planned Corrective Actions for Security Weaknesses\n                                   Are Fully Implemented to Protect Taxpayer Data\n\n\n\n  Weaknesses\n From Issued                                                            Planned                         TIGTA\xe2\x80\x99s Assessment:\n Audit Reports                Recommendations                       Corrective Actions               Corrective Actions Not Taken\nRef. No.                The Commissioners, Wage and           The Wage and Investment and           Implementation: Partial\n2010-20-028             Investment and Small Business/        Small Business/Self-Employed\n                        Self-Employed Divisions, should       Divisions will direct the sites to    The IRS provided print screens of\nPCA 1-6-1               instruct all Automated Collection     document managerial approval on       Online 5081. System administrators\n                        System managers to immediately        all elevated Resource Access          conducted quarterly reviews of\nSeveral Access                                                                                      elevated privileges, but they do not\nControls Have Been      review the Online 5081 system         Control Facility privileges as\n                        for all of their employees who        reflected in the Online 5081          document the reviews or the results.\nImplemented, but                                                                                    The Fiscal Year 2010 Operational\nAdditional Controls     need elevated Resource Access         system. Additionally, both\n                        Control Facility privileges to        operating divisions have included     Reviews included security issues.\nAre Needed for the\nCall Site Employees     ensure that the manager\xe2\x80\x99s             this security issue in their Fiscal\n                        approval is documented in the         Year 2010 Operational Review\n                        employees\xe2\x80\x99 Online 5081 profile.       Plans.\nRef. No.                The Associate Chief Information       Cybersecurity\xe2\x80\x99s ISR office will       Implementation: Partial\n2010-20-051             Officer, Cybersecurity, should        establish a plan that delineates\n                        validate correction of                sending out a request for status      The ISR office is no longer sending\nPCA 2-1-1               Infrastructure Security and           updates on POA&Ms from the            out a request for status updates nor\n                        Reviews (ISR) office\xe2\x80\x99s reported       responsible business unit. As         has the ISR office received all the\nThe IRS Did Not                                                                                     previously sent requests. In addition,\nEnsure That             security weaknesses and               appropriate, the ISR office will\n                        recommend a process for               validate the correction of findings   copies of uncorrected weaknesses are\nComputer Security                                                                                   not sent to the appropriate business\nWeaknesses              reporting weaknesses that remain      in the POA&M during the\n                        unmitigated to increase the           POA&M continuous monitoring           unit quarterly to ensure that the\nIdentified at                                                                                       responsible parties are made aware of\nContractor Facilities   accountability of the responsible     process or during follow-up\n                        parties for remediation of security   security reviews. In addition, the    the need to remediate weaknesses.\nAre Timely                                                                                          Instead, the ISR office manages the\nCorrected               weaknesses.                           ISR office will forward a copy of\n                                                              the uncorrected weaknesses to the     weaknesses annually during the\n                                                              appropriate business unit quarterly   follow-up reviews on a manually\n                                                              to ensure that the responsible        tracked POA&M. The ISR office\n                                                              parties are made aware of the need    ceased quarterly distribution in 2012\n                                                              to remediate weaknesses.              due to a limited response from the\n                                                                                                    Contracting Officer Representatives,\n                                                                                                    planned migration to the Archer\n                                                                                                    Tool,3 and planned changes in the\n                                                                                                    ISR office standard operations\n                                                                                                    procedures. The ISR office plans to\n                                                                                                    use the Archer Tool in the future for\n                                                                                                    both storage and tracking once the\n                                                                                                    data have been uploaded onto the\n                                                                                                    system.\n\n\n\n\n   3\n     The Archer Tool offers management solutions to facilitate continuous monitoring by collecting, organizing, and\n   displaying all technical data scan results from information technology tools and analyzes the results with a single\n   risk-scoring capability.\n                                                                                                                           Page 18\n\x0c                                 Improved Controls Are Needed to Ensure That\n                           All Planned Corrective Actions for Security Weaknesses\n                               Are Fully Implemented to Protect Taxpayer Data\n\n\n\n  Weaknesses\n From Issued                                                       Planned                          TIGTA\xe2\x80\x99s Assessment:\n Audit Reports            Recommendations                      Corrective Actions                Corrective Actions Not Taken\nRef. No.            The CTO should ensure that           The Associate Chief Information        Implementation: Partial\n2011-20-044         databases with out-of-support        Officer, Enterprise Services, will\n                    Database Management System           coordinate with affected               Not all Database Management\nPCA 2-2-1           software are upgraded to currently   stakeholders to develop a migration    System software is at the currently\n                    supported versions within a          plan to upgrade the Database           supported versions. In addition,\nProduction                                                                                      scans did not identify all database\nEnvironment         reasonable time period. For those    Management System software to\n                    systems where upgrading the          currently supported versions. An       versions due to systems development\nDatabases Were                                                                                  constraints.\nRunning             database software or                 inventory of all servers with\nOut-of-Date         implementing security patches        databases on them and their\nDatabase Software   have been determined to be           associated versions will be created.\nThat No Longer      dangerous to the stability of the    The Enterprise Services\nReceives Security   system, a migration plan should      organization will then outline steps\nPatches and Other   be developed and a properly          to take to address versions older\nVendor Support      approved deviation should be on      than n-1 and updates will be\n                    file to justify departure from       installed accordingly. The\n                    stated standards.                    Enterprise Services organization\n                                                         will establish ongoing monitoring\n                                                         of servers and institutionalize a\n                                                         process to keep software current.\n\n\n\n\n                                                                                                                     Page 19\n\x0c            Improved Controls Are Needed to Ensure That\n      All Planned Corrective Actions for Security Weaknesses\n          Are Fully Implemented to Protect Taxpayer Data\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 20\n\x0c      Improved Controls Are Needed to Ensure That\nAll Planned Corrective Actions for Security Weaknesses\n    Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                                    Page 21\n\x0c      Improved Controls Are Needed to Ensure That\nAll Planned Corrective Actions for Security Weaknesses\n    Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                                    Page 22\n\x0c      Improved Controls Are Needed to Ensure That\nAll Planned Corrective Actions for Security Weaknesses\n    Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                                    Page 23\n\x0c      Improved Controls Are Needed to Ensure That\nAll Planned Corrective Actions for Security Weaknesses\n    Are Fully Implemented to Protect Taxpayer Data\n\n\n\n\n                                                    Page 24\n\x0c'